Scaling Trust: An Anthropology of Cyber Security (Renewal)

扩展信任：网络安全人类学（续订）

• 批准号: MR/X023338/1
• 负责人: Matthew Spencer
• 金额: $ 75.85万
• 依托单位: University of Warwick
• 依托单位国家: 英国
• 项目类别: Fellowship
• 财政年份: 2024
• 资助国家: 英国
• 起止时间: 2024 至 无数据
• 项目状态: 未结题
• 来源: https://gtr.ukri.org/projects?ref=MR%2FX023338%2F1
• 关键词: Scaling; Trust; Anthropology; Cyber; Security

Scaling Trust is an interdisciplinary research project drawing on resources from anthropology, sociology, communication studies, literary theory, philosophy of science and computing. Using interviews, textual analysis, workshops and ethnography, Scaling Trust examines recent transformations in Cyber Security across four distinct domains, and asks: how are novel models and methods reshaping trust and securing in contemporary society? How do new forms of narrativizing threats, problems of technology and scale, and security solutions define what a secure future may be?A) In the initial period of the fellowship, we investigated current transformations in technology assurance. Security in this domain has been treated as a quality of technical products, a quality that can be tested and measured in an evaluation lab. In recent years, we can observe increasing awareness of unintended side effects of reliance on trusted products and the rise of new approaches focused on risk and the quality of communication.B) We also, in the initial fellowship period, examined the emergence of 'de-perimeterised' security models, today most prominently associated with 'Zero Trust' IT architectures. We examine the nature of security models in general, and how this one in particular has challenged intuitions of information security as the protection of an 'inside' of a private network, and focussed attention instead on asset value. This formulation of the object of securing has profound implications for what counts as a security technology, and for how users/people are positioned and treated. C) In the renewal period, we will conduct an empirical study of the 'DevSecOps' movement, a movement that aims to reconfigure organisations, so that security, here understood as an organisational function, is no longer in a 'silo', but becomes integrated in collaborative multi-function delivery teams. The focus on social architecture here draws on classic organisational thinking in software development, such as Conway's law (that technology tends to inherit a pattern of organisation from the structure of teams who made it), on 'Secure by Design' concepts, and is driven by the demands of continuous delivery methodologies. Securing is here understood as what a part of an organisation does, alongside developing, maintaining and operating.D) During the renewal period, we also build out a study of the recent emergence of hardware-based vulnerabilities, such as Rowhammer, SPECTRE and Meltdown, which have fundamentally challenged some of the certainties upon which security reasoning was built. These vulnerabilities drew attention to the level of hardware as a source of uncertainty, challenging the notion that security can be understood via analysis of logics implemented in software. In addition to preventing attacks, securing thus becomes a matter of being responsive to novel vulnerabilities as they emerge. In Scaling Trust, we examine the narrativization of security, how securing is constituted as a meaningful activity in distinct, but intersecting ways, as these expert domains undergo transformation: how security is variously posed as a problem of A) evaluation, B) architecture, C) organisation and D) function. If, as we argue, the nature of cyber security is not fixed, but rather refracts through a number of expert practices, it is important to examine and make sense of how it is changing and the implications for society, for organisations and for policymakers.Scaling Trust includes a portfolio of engagement activities with policymakers and with organisations. It involves the use of a palette of qualitative research methodologies, but also the development of a new participatory workshop format, called 'Trust Mapping' for organisations and researchers. It is a fellowship project, and thus also involves investment in the PI, Dr Matt Spencer, supporting his career trajectory and development of a position of research leadership in cyber security.

Scaling Trust是一个跨学科的研究项目，利用人类学、社会学、传播学、文学理论、科学哲学和计算机的资源。使用访谈、文本分析、研讨会和民族志，Scaling Trust研究了网络安全在四个不同领域的最新变化，并提出问题：新的模式和方法如何重塑当代社会的信任和安全？新形式的叙事威胁、技术和规模问题以及安全解决方案如何定义安全的未来？a)在团契的初始阶段，我们调查了当前技术保障方面的变革。这一领域的安全一直被视为技术产品的质量，一种可以在评估实验室进行测试和测量的质量。近年来，我们可以观察到越来越多的人意识到依赖可信产品会产生意想不到的副作用，以及关注风险和通信质量的新方法的兴起。b)在最初的团契期间，我们还研究了“去边界”安全模型的出现，目前最显著的安全模型与“零信任”IT体系结构有关。我们考察了安全模型的一般性质，以及这一模型如何特别地挑战了信息安全作为保护专用网络“内部”的直觉，并将注意力集中在资产价值上。安全对象的这种表述对什么是安全技术以及如何定位和对待用户/人具有深远的影响。C)在更新期内，我们将对旨在重新配置组织的“DevSecOps”运动进行实证研究，以便安全--在这里被理解为一种组织职能--不再处于“孤岛”，而是整合到协作的多功能交付团队中。这里对社会架构的关注借鉴了软件开发中的经典组织思想，例如Conway定律(技术倾向于从创建它的团队的结构中继承组织模式)，关于“通过设计确保安全”的概念，并由持续交付方法的需求驱动。在这里，安全被理解为组织的一部分所做的事情，以及开发、维护和运营。d)在更新期间，我们还对最近出现的基于硬件的漏洞进行了研究，如Rowhammer、SPECTE和Meltdown，这些漏洞从根本上挑战了安全推理所基于的一些确定性。这些漏洞引起了人们对硬件水平作为不确定性来源的关注，挑战了可以通过分析软件中实现的逻辑来理解安全的概念。因此，除了防止攻击之外，保护安全还需要在新出现的漏洞出现时做出反应。在Scaling Trust中，我们考察了安全的叙事化，随着这些专家领域经历转变，安全如何以不同但交叉的方式构成一项有意义的活动：安全如何被不同地假设为A)评估、B)架构、C)组织和D)功能的问题。如果正如我们所说的那样，网络安全的性质不是固定不变的，而是通过大量专家实践折射出来的，那么重要的是检查并理解它正在如何变化，以及它对社会、组织和政策制定者的影响。规模信托包括与政策制定者和组织的一系列接触活动。它包括使用定性研究方法的调色板，但也为组织和研究人员开发了一种新的参与式研讨会形式，称为“信任图谱”。这是一个奖学金项目，因此还包括对私人投资公司Matt Spencer博士的投资，以支持他的职业发展轨迹和网络安全研究领导地位的发展。